Specifies the MVS user ID that is used to represent unprotected
servlet requests when SAF authorization is specified or a local operating
system registry is configured. This user ID must be a maximum of 8 characters
long.
This property definition is used in the following instances:
- For authorization if an unprotected servlet invokes an entity bean
- For identification of an unprotected servlet for invoking a z/OS connector
such as Customer Information Control System (CICS) or Information Management
System (IMS) that uses a current identity when res-auth=container
- When an application-initiated Synch to OS thread function is attempted
For more information, see the following articles in the information center:
- "Understanding application Synch to OS Thread Allowed"
- "When to use application Synch to OS Thread Allowed"
Specifies that SAF EJBROLE profiles are used for user-to-role authorization
for both Java 2 Platform, Enterprise Edition applications and the role-based
authorization requests (naming and administration) that are associated with
application server runtime
If a Lightweight Access Directory Protocol (LDAP) registry or Custom registry
is configured and SAF authorization is specified, a mapping to a z/OS principal
is required at each login for any protected methods to run:
- If the authentication mechanism is Lightweight Third Party Authentication
(LTPA), it is recommended that you update all of the following configuration
entries to include a mapping to a valid z/OS principal (such as WEB_INBOUND,
RMI_INBOUND, and DEFAULT).
- If the authentication mechanism is Simple WebSphere Authentication Mechanism
(SWAM), you must update the SWAM configuration entry to include a mapping
to a valid z/OS principal.
Determines when an audit record is written to the System Management
Facility (SMF). On each authorization call, RACF or an equivalent SAF-based
product can write an audit record to SMF that contains the result of the authorization
check.
WebSphere Application Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE
FASTAUTH operations and passes the LOG option that is specified in the security
configuration. The options are DEFAULT, ASIS, NOFAIL, and NONE.
To set this property, in the administrative console, complete the following
steps
- Click Security > Global Security.
- Additional properties, click Custom properties.
- Click New.
- In the Name field, enter com.ibm.security.SAF.Authz.Log.Option.
- In the Value field, enter one of the following values:
- DEFAULT
When
multiple role constraints are specified, such as when a user must be in one
of a set of roles, all of the roles except for the last role is checked with
the NOFAIL option. The last role is checked with the ASIS option. In this
manner, if authorization is granted to any one of the roles, WebSphere Application
Server will write an authorization success record. If the authorization is
not successful in these roles, a failure record will not be written.
- ASIS
- Specifies that the audit events are recorded in the manner that is specified
in the profile. Also specifies the audit events that protect the resource
or in the manner that is specified by the SETROPTS options.
- NOFAIL
- Specifies that failures are not recorded. Authorization failure messages
are not issued, but successful authorization audit records might be written.
- NONE
- Specifies that neither successes nor failures are recorded.
Only one authorization failed record is written for a failed J2EE authorization
check, even if several SAF authorization calls are made. For more information
on the LOG options for SAF RACROUTE AUTH and RACROUTE FASTAUTH, see the RACF
or equivalent SAF-based product documentation.
Important: If a set of roles is permitted, in for example, the
role list for the
naming-authz.xml file, and an access violation
occurs, an ICH408I access violation message indicates that a failure has occurred
for one of the roles. The role, which is associated with the failure, might
not be the minimal role that is needed for this access request. Instead, the
reported violation and the corresponding ICH408I message indicates the final
role in the list. SMF logs a single access violation for the indicated role.
To see all of the roles that are verified, set the
com.ibm.security.SAF.Authz.Log.Option custom
property to the ASIS value.
You can use the
com.ibm.security.SAF.Authz.Log.Option custom
property with the
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress custom
property to control the ICH408I failure messages. To set the
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress custom
property, complete the following steps:
- Click Security > Global security.
- Under User registries, click Local OS.
- Under Additional properties, click Custom properties.